Threat Description

Backdoor:​W32/​IRCBot.BNZ

Details

Summary

IRCBot.BNZ is a backdoor. It can be instructed to scan for vulnerable target machines,
update itself, as well as download and execute arbitrary files.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

This IRCBot connects to an IRC server at fixed.milan-fans.com at port 2233 for instructions.

A backdoor is a trojan that allows unauthorized access to a computer system. It is
a remote access tool that allows a hacker to gain access to a compromised computer
through the "back door" that the trojan has opened (usually a TCP or UDP port).

Usually a backdoor is a standalone file that installs itself to the system after
it is run and then remains active in the memory listening on specific network ports
for commands from the remote host.

IRCBot.BNZ is downloaded from malicious sites. This download can be initiated by a
shellcode executed via an unpatched MS04-011 vulnerability on target machines.

When first run copies of the malware will be created in %WINDOWS%\System32\spool.exe
as and C:\%name%.exe where %name% is a random six-digit number.